Use case

Group Extraction in the first factor and next factor(Cert/LDAP) based on group membership.
Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

Introduction

This article describes the following scenarios:

1. Administrator configures  LDAP group Extraction  in first factor.

2. Based on the Groups extracted during the 1st factor we can configure next factors, which could either have LDAP authentication or Certificate Authentication.

These steps are described in detail below.  The first section briefly introduces the entities that are encountered in this document, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example “LoginSchema” that can be used to realize the logon form, and the relevant configuration.

Entities used in nFactor

LoginSchema

Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. Put another way, LoginSchema is a logical representation of logon form in XML medium.

It can be added as shown in the following example:

add authentication loginSchema <name> -authenticationSchema <XML-Blob> -userExpression <Expression> -passwordExpression <Expression>

Where: AuthenticationSchema is a well-structured XML that defines the way login form is rendered. UserExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.

Authentication Policylabel

Auth Policy label is a collection of authentication policies for a particular factor.  It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.

Authentication policy labels constitute secondary/user-defined factors. With nFactor, there’s no single “secondary” cascade. There could be “N” secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the vserver cascade.

When we bind an authentication policy to authentication vserver, we specify nextFactor, which represents a policylabel/factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.

It can be added as shown in the following example:

add authentication policylabel <name> -loginSchema <loginSchemaName>

Where, loginSchemaName will be the login schema that we want to associate with this authentication factor.

We can bind authentication policies to this label.

Bind authentication policylabel <name> -policy LDAP –priority 10 –nextfactor <nextFactorLabelName>

Use  Case description

1. Upon accessing the login page (which is preceded by a redirect from TM vserver) at authentication vserver, users will see a logon form such as the one depicted in the next section. Once user enters his username credentials, groups are extracted. The initial logon page will have only username field as shown:

   
   Here’s the example used for this specific representation of logon form:

    root@ns# cat login_nopwd.xml
   	<?xml version="1.0" encoding="UTF-8"?>
   	<AuthenticateResponse xmlns="http://citrix.com/authentication/response/1">
   	<Status>success</Status>
   	<Result>more-info</Result>
   	<StateContext></StateContext>
   	<AuthenticationRequirements>
   	<PostBack>/nf/auth/doAuthentication.do</PostBack>
   	<CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack>
   	<CancelButtonText>Cancel</CancelButtonText>
   	<Requirements>
   	<Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>User name</Text><Type>plain</Type></Label><Input><AssistiveText>Please supply either username as saamaccountname</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement>
   	<Requirement><Credential><Type>none</Type></Credential><Label><Text> Please submit credentials to continue Login ...</Text><Type>confirmation</Type></Label><Input /></Requirement>
   	<Requirement><Credential><ID>saveCredentials</ID><Type>savecredentials</Type></Credential><Label><Text>Remember my password</Text><Type>plain</Type></Label><Input><CheckBox><InitialValue>false</InitialValue></CheckBox></Input></Requirement>
   	<Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>Log On</Button></Input></Requirement>
   	</Requirements>
   	</AuthenticationRequirements>
   	</AuthenticateResponse>

2. The 2nd factor is configured as passthrough (i.e, there will be no login page for this factor) with 2 NO_AUTHN policies. A NO_AUTHN policy means if  the rule configured for this policy evaluates to true, we will not perform any authentication but jump to the next factor that is configured. Based on the policy evaluation, we have configured a jump to either LDAP Auth factor or Cert Auth factor.

3. The LDAP Action is configured to extract the groups. Say the group extracted is grp3. Now, one of the NO_AUTHN policy rule is configured to check for the presence of string “grp3”. If the police evaluates to true, we can configure jump to the next factor having LDAP Authentication. Similarly, a policy can be configured for having next factor as Cert.

4. When LDAP factor is selected after LDAP Group Authentication, we see below Login Schema:

   

   The username value is prefilled using the expression ${http.req.user.name} which will extract the username from the first factor. Other fields such as labels for username and password can also be customized.
   Here’s the example used for this specific representation of logon form:

   root@ns# cat login1.xml
   <?xml version="1.0" encoding="UTF-8"?>
   	<AuthenticateResponse xmlns="http://citrix.com/authentication/response/1">
   	<Status>success</Status>
   	<Result>more-info</Result>
   	<StateContext></StateContext>
   	<AuthenticationRequirements>
   	<PostBack>/nf/auth/doAuthentication.do</PostBack>
   	<CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack>
   	<CancelButtonText>Cancel</CancelButtonText>
   	<Requirements>
   	<Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>User name</Text><Type>plain</Type></Label><Input><AssistiveText>Please supply either domain\username or user@full
   	y.qualified.domain</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue>${http.req.user.name}</InitialValue><Constraint>.+</Constraint></Text></Input></Requirement>
   	<Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type>plain</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialVa
   	lue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement>
   	<Requirement><Credential><Type>none</Type></Credential><Label><Text>Second factor</Text><Type>confirmation</Type></Label><Input /></Requirement>
   <Requirement><Credential><ID>saveCredentials</ID><Type>savecredentials</Type></Credential><Label><Text>Remember my password</Text><Type>plain</Type></Label><Input><CheckBox><InitialValue>false</InitialValue></CheckBox></Input></Requirement>
   <Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>Log On</Button></Input></Requirement>
   	</Requirements>
   	</AuthenticationRequirements>
   	</AuthenticateResponse>

   Some of the customizable portions of the logon form are highlighted here. Administrators can modify these values to suit their needs.

5. In case Cert Factor is selected after LDAP group extraction, we will get a prompt to select Certificate:

   

Sequence diagram for this flow when LDAP Authentication Factor is selected

Policies for this use case

1. TM and Auth vserver configuration:
   add lb vserver lbssl SSL 10.102.22.32 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost auth1.aaatm-test.com -Authentication ON
   add authentication vserver vServer_AAA-TM_nFactor SSL 10.102.22.30 443 -AuthenticationDomain aaatm-test.com
   add ssl certKey cacertkey -cert certnew1.cer
   bind ssl vserver vServer_AAA-TM_nFactor -certkeyName cacertkey –CA

2. 1st Factor Configuration: loginschema with only Username field for LDAP Group Extraction
   add authentication loginSchema auth_login_schema_no_pwd -authenticationSchema login_nopwd.xml
   add authentication loginSchemaPolicy auth_schema_pol_Grp_extraction -rule true -action auth_login_schema_no_pwd
   add authentication ldapAction 10.10.22.22_LDAP_group_extraction -serverIP 10.10.22.22 -secType SSL -serverPort 636 -ldapBase "dc=aaatm-test,dc=com" -ldapBindDn administrator@aaatm-test.com -ldapBindDnPassword 1.citrix -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN - authentication DISABLED
   add authentication Policy ldapgrpol -rule true -action 10.10.22.22_LDAP_group_extraction (This policy will be bound to AAA vserver "vServer_AAA-TM_nFactor", as shown in step 5 below)
   bind authentication vserver vServer_AAA-TM_nFactor -policy auth_schema_pol_Grp_extraction -priority 100 -gotoPriorityExpression END

3. LDAP Factor configuration:
   This will be 3rd factor based on the groups extracted  and will have one username and one  password field.
   #Add LDAP authentication server
   add authentication ldapAction  10.10.22.22_LDAP  -serverIP 10.10.22.22 -secType SSL -serverPort 636 -ldapBase "dc=aaatm-test,dc=com" -ldapBindDn administrator@aaatm-test.com -ldapBindDnPassword 1.citrix -ldapLoginName samAccountName
   add authentication policy ldap_auth –rule true –action auth_login_schema_ldap
   #Add LoginSchema
   add authentication loginSchema auth_login_schema_ldap -authenticationSchema login1.xml -userCredentialIndex 1 -passwordCredentialIndex 2
   #Add Policylabel for LDAP Factor
   add authentication policylabel ldap_auth -loginSchema auth_login_schema_ldap
   bind authentication policylabel ldap_auth –policyName ldap_auth -priority 1 -gotoPriorityExpression NEXT

4. Certificate factor configuration:
   This will be 3rd factor based on the groups extracted. Loginschema for the cert authentication will be noschema.
   add authentication loginSchema auth_login_schema_noschema -authenticationSchema noschema
   set ssl parameter denySSLReneg NO
   add authentication certaction certact
   add authentication policy cert_auth –rule true –action certaction
   add authentication policylabel cert_auth –loginSchema auth_login_schema_noschema
   bind authentication policylabel cert_auth -policyName  cert_auth -priority 1 -gotoPriorityExpression NEXT

5. 2nd factor configuration and authentication policies binding to AAA vserver:
   The second factor will have 2 NO_AUTHN policies. Based on the groups extracted during 1st factor authentication, we will select one of the 2 NO_AUTHN policies and move to LDAP or CERT authentication in the next factor.
   add authentication loginSchema noschema -authenticationSchema noschema
   add authentication Policy no_ldap -rule "http.req.user.is_member_of(\"grp3\")" -action NO_AUTHN
   add authentication Policy no_cert -rule "http.req.user.is_member_of(\"grp10 \")" -action NO_AUTHN
   add authentication policylabel u11 -loginSchema noschema
   bind authentication policylabel u11 -policyName no_ldap -priority 1 -gotoPriorityExpression NEXT -nextFactor ldap_auth
   bind authentication policylabel u11 -policyName no_cert -priority 2 -gotoPriorityExpression NEXT –nextFactor cert_auth 
   bind authentication vserver vServer_AAA-TM_nFactor –policy ldapgrpol –nextfactor u11 –priority 1

The preceding configuration describes adding a TM vserver for resource access, adding Authentication vserver for securing TM vserver, and relevant policies for this use-case. Sections in “red” describe the proposed rules to pick a particular authentication policy for next factor selection.

The above nFactor configuration can be achieved using the nFactor Visualizer which is a new feature that is available starting firmware 13.0 onward,

Complete Flow:

 

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add
2. Click on the + sign to add the nFactor Flow
   
   
3. Add Factor, this will be the name of the nFactor Flow

4. Click on “Add Schema” to add the login schema for the first factor, in case the login schema is already created, select the same from drop down list, if not then click on Add,

5. Click on “Add Policy” to add the first factor authentication i.e Group Extraction

6. Click on the green + sign on the right of Group-Ext policy to create a decision block for group evaluation.

7. Click on “Add Policy” to check for what group the user belongs to, the action here will be no_auth by default.

8. Click on the blue + icon below the Group-1 policy, to add another policy to check if the user is part of the group that requires Cert based auth as second factor.

9. Click on the Green + icon adjacent to the Group-1 policy to add the LDAP factor Auth

10. Click on “Add Schema” to add the schema for LDAP authentication,

11. Click on “Add Policy” to add the LDAP authentication policy, if already added then select the same from drop down list if not then click on Add,

12. Click on the Green + icon adjacent to the Group-2 policy of the decision block, to add the Cert based auth,

13. Click on “Add Policy” to add the certificate authentication policy.

14. Select the nFactor Flow and click on “Bind to Authentication Server”

Important ns.log messages seen during this case

Jul 31 01:18:36 <local0.debug> 127.0.0.2 07/31/2015:01:18:36 GMT  0-PPE-0 : default SSLVPN Message 1067 0 :  "core 0: ns_get_username_password: loginschema gleaned is nopassword "

Jul 31 01:18:36 <local0.debug> 127.0.0.2 07/31/2015:01:18:36 GMT  0-PPE-0 : default SSLVPN Message 1068 0 :  "aaad_authenticate_req: copying policylabel name auth1 to aaa info, type 33 for auth "

Jul 31 01:18:36 <local0.debug> 127.0.0.2 07/31/2015:01:18:36 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 1069 0 :  SPCBId 575 - ClientIP 10.102.229.222 - ClientPort 59569 - VserverServiceIP 10.102.42.30 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session Reuse

Jul 31 01:18:36 <local0.debug> 127.0.0.2 07/31/2015:01:18:36 GMT  0-PPE-0 : default SSLVPN Message 1070 0 :  "sslvpn_extract_attributes_from_resp: attributes copied so far are user1@aaatm-test.com "

Jul 31 01:18:36 <local0.debug> 127.0.0.2 07/31/2015:01:18:36 GMT  0-PPE-0 : default AAATM Message 1072 0 :  "copying next factor u11 in aaa info for user1 "

Jul 31 01:18:36 <local0.info> 127.0.0.2 07/31/2015:01:18:36 GMT  0-PPE-0 : default AAA EXTRACTED_GROUPS 1073 0 :  Extracted_groups "grp3"

Jul 31 01:18:36 <local0.debug> 127.0.0.2 07/31/2015:01:18:36 GMT  0-PPE-0 : default AAA Message 1074 0 :  "nFactor: Next factor u11 is configured as passthough/implicit, loginschema noschema"

Jul 31 01:18:36 <local0.debug> 127.0.0.2 07/31/2015:01:18:36 GMT  0-PPE-0 : default SSLVPN Message 1075 0 :  "aaad_authenticate_req: copying policylabel name u11 to aaa info, type 65 for auth "

Jul 31 01:18:36 <local0.debug> 127.0.0.2 07/31/2015:01:18:36 GMT  0-PPE-0 : default AAATM Message 1076 0 :  "copying next factor u11ldap in aaa info for user1 "

Jul 31 01:18:36 <local0.debug> 127.0.0.2 07/31/2015:01:18:36 GMT  0-PPE-0 : default SSLVPN Message 1077 0 :  "updating session with policylabel:u11ldap "

Jul 31 01:18:36 <local0.debug> 127.0.0.2 07/31/2015:01:18:36 GMT  0-PPE-0 : default SSLVPN Message 1078 0 :  "updating session with policylabel:u11ldap "

Jul 31 01:18:36 <local0.debug> 127.0.0.2 07/31/2015:01:18:36 GMT  0-PPE-0 : default SSLVPN Message 1079 0 :  "LOGINSCHEMA: attribute extracted is 5 user1 "

Jul 31 01:18:39 <local0.info> 127.0.0.2 07/31/2015:01:18:39 GMT  0-PPE-0 : default SSLVPN Message 1080 0 :  "LOGIN: CGI/LOGIN: Continuing auth for user user1 at factor u11ldap with login schema login11"

Jul 31 01:18:39 <local0.debug> 127.0.0.2 07/31/2015:01:18:39 GMT  0-PPE-0 : default SSLVPN Message 1081 0 :  "aaad_authenticate_req: copying policylabel name u11ldap to aaa info, type 65 for auth "

Jul 31 01:18:39 <local0.info> 127.0.0.2 07/31/2015:01:18:39 GMT  0-PPE-0 : default AAATM LOGIN 1085 0 : Context user1@10.102.229.222 - SessionId: 14- User user1 - Client_ip 10.102.229.222 - Nat_ip "Mapped Ip" - Vserver 10.102.42.30:443 - Browser_type "Mozilla/5.0 (Windows NT 6.0; rv:39.0) Gecko/20100101 Firefox/39.0" - Group(s) "N/A"

Concepts, Entities and Terms used for nFactor Authentication through NetScaler